Java: A Malware Writer’s Dream Come True
Not too long ago I wrote about how to Make Firefox More Secure by Disabling Java in it. Since I wrote that article in November, nearly every malware cleanup I have done since then has used Java as it’s injection vector, and that has been quite a lot. This has become a HUGE wide spread security issue for Windows users, and it’s all thanks to Oracle’s Java plugin for web browsers.
Java isn’t supposed to allow apps with out a certificate to execute unless the user gives it permission to. The problem is that there are bugs in the Java plugin that allow malicious apps to still run, regardless of the user clicking allow or block! I don’t know if the latest Java update version has patched these holes or not. Every system I have seen though has been running Java 6, just one of the lower update numbers (they’re on update 18 at the time of this writing). Compounding the issue is that most people never update Java. Heck, I hardly ever used it, so I never updated it either.
The Java plugin is allowing malware writers to infect machines, no matter which web browser or which version of the browser the victim is using. Java is allowing malicious code to run, which in turn infects machines. This needs to be stopped, and the best way to do so is completely remove Java from your computer. I urge everyone to uninstall the Java plugins immediately. If this is not an option for you because you need Java for some poorly coded website, or obscure photo uploader (thanks Facebook), then you should at least be disabling Java in your browser until you come to the page you actually want it to run on.
In my previous article I showed you how to disable it in Firefox 3.5. Well, since then Firefox 3.6 has come out, and it changes how the Java Plugin has to be disabled. Now you have to click Tools -> Addons -> Plugins
Find the “Java(TM) Platform SE x Uxx” (the x’s are version numbers), and click the Disable button on it. There is also a “Java Deployment Toolkit” that you should disable as well.
If you’re using Internet Explorer you should uninstall Java completely. In IE you’re supposed to be able to click Tools -> Internet Options -> Manage Add-ons, then find all of the Java Plug-in’s in there going through the various lists, and disable them, but I have not been able to. Even though I have disabled every single java plugin possible, when I visit a java web site, it still loads up Java. For this reason, I recommend completely removing Java from your computer if you’re in IE user. Or even better yet, use Firefox which actually disables the Java plugin when you click the disable button in it. IE sucks, stop using it.
For Firefox, that’s it. Rest assured you have once again secured your browser. If you visit a site you TRUST explicitly, then you will simply need to revisit the Plugin and click Enable. The change is instantaneous and fortunately doesn’t require a browser restart.
I can already hear you now “Just make sure you’re updated to the latest version”. To that I say NO. Java has proven itself HIGHLY dangerous to a computer’s security. Allowing it to sit there and load, even if it’s the latest version, is ill-advised as any new exploit could be found at any time and allow the malicious code through again.
Just say NO to java!
Brandon
Great tip. I wish Flash wasn’t everywhere so we could disable it, too.
– B